diff options
author | Eli Schwartz <eschwartz@archlinux.org> | 2019-10-07 05:11:19 +0200 |
---|---|---|
committer | Allan McRae <allan@archlinux.org> | 2019-10-07 05:23:11 +0200 |
commit | f49233903521f19a1fcba6bf6c36abea71309a1e (patch) | |
tree | 9a841b16c6b0b34ef478f8b28fc61c8122aca46a /scripts | |
parent | 45e01e55c96d9abf8c73f6ee3766b16e5fbefc4d (diff) | |
download | pacman-f49233903521f19a1fcba6bf6c36abea71309a1e.tar.gz pacman-f49233903521f19a1fcba6bf6c36abea71309a1e.tar.xz |
pacman-key: make sure we actually use the Web of Trust, which GnuPG doesn't.
By default, the latest versions of GnuPG disable the Web of Trust and
refuse to import signatures from public keyservers. This is to prevent
denial of service attacks, because refusing to import signatures only if
the key size is too big, is apparently too silly to consider.
Either way, pacman needs the WoT. If pacman imports a key at all, it
means everything failed and we are in fallback mode, trying to overcome
a shortcoming in the availability of keys in the keyring package.
(This commonly means the user needs to acquire a new key during the same
transaction that updates archlinux-keyring.)
In order for that new key to be usable, it *must* also import signatures
from the Master Keys.
I don't give credence to this supposed DoS, since the worst case
scenario is nothing happening and needing to CTRL+C in order to exit the
program. In the case of pacman, this is better than being unable to
install anything at all (which is gnupg doing a much more harmful DoS to
pacman), and in the already unusual case where something like
--refresh-keys is being used directly instead of depending on the
keyring package itself, gnupg supports WKD out of the box and will
prefer that for people whose keys are marketed as being non-DOSable.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
Diffstat (limited to 'scripts')
-rw-r--r-- | scripts/pacman-key.sh.in | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index c3b02850..93600bc0 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -210,6 +210,11 @@ initialize() { add_gpg_conf_option "$conffile" 'lock-never' add_gpg_conf_option "$conffile" 'keyserver-options' 'timeout=10' + local gpg_ver=$(gpg --version | awk '{print $3; exit}') + if (( $(vercmp "$gpg_ver" 2.2.17) >= 0 )); then + add_gpg_conf_option "$conffile" 'keyserver-options' 'no-self-sigs-only' + fi + # gpg-agent.conf agent_conffile="${PACMAN_KEYRING_DIR}/gpg-agent.conf" [[ -f $agent_conffile ]] || touch "$agent_conffile" |